🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-900 Domain 4
Domain 4 — Module 1 of 7 14%
22 of 28 overall

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit
Domain 4: Microsoft Compliance Solutions Premium ⏱ ~11 min read

Service Trust Portal, Privacy Principles & Microsoft Priva

Where Microsoft proves its compliance, the six privacy promises it makes — and how Priva helps your organisation meet its own privacy obligations.

Where does Microsoft prove it’s trustworthy?

☕ Simple explanation

Think of a hotel’s hygiene rating certificate.

Before you stay at a hotel, you want proof it passed a health inspection. The certificate hanging on the wall tells you an independent inspector checked the kitchen, the rooms, and the fire escapes.

The Service Trust Portal is Microsoft’s version of that certificate wall. It’s a website where Microsoft publishes all its audit reports, compliance certificates, and security documentation so you can verify they meet the standards your industry requires.

The Service Trust Portal (servicetrust.microsoft.com) is a public-facing site where Microsoft publishes independent audit reports, compliance guides, and trust-related documentation for its cloud services.

Organisations use it to verify that Microsoft meets specific regulatory and industry standards before adopting or continuing to use Microsoft cloud services. Content is updated regularly as new audits and certifications are completed.

Service Trust Portal

The Service Trust Portal is your one-stop shop for trust documentation. You sign in with your Microsoft cloud account and can access:

CategoryWhat You’ll Find
Certifications, Regulations & StandardsAudit reports proving Microsoft meets standards like ISO 27001, SOC 1/2/3, and FedRAMP
Reports, Whitepapers & ArtefactsData protection documents, pen test results, FAQ documents
Industry & Regional ResourcesGuidance tailored to specific industries (healthcare, finance) and regions (EU, Australia)
Resources for your OrganisationDocuments specific to your tenant’s compliance status

Key exam concept: The Service Trust Portal provides independent, third-party audit reports — not just Microsoft’s own claims. This is what makes it credible for regulatory purposes.

💡 Scenario: Nadia needs proof for an auditor

Nadia, the Compliance Officer at MedGuard Health, receives a request from their external auditor: “Prove that Microsoft’s data centres meet ISO 27001 standards.”

Nadia doesn’t need to audit Microsoft herself. She goes to servicetrust.microsoft.com, downloads the latest ISO 27001 audit report (conducted by an independent assessor), and hands it to the auditor.

Without the Service Trust Portal, MedGuard would have to send a formal request to Microsoft and wait weeks. The portal makes this self-service.

💡 Exam tip: Service Trust Portal access

You need to sign in with a Microsoft cloud account and accept a non-disclosure agreement the first time you access the portal. Not everything is publicly available — some documents require an authenticated session.

The exam may ask about what the portal contains. Remember the four categories: certifications, reports, industry resources, and resources for your organisation.

Microsoft’s six privacy principles

Microsoft commits to six privacy principles across all its cloud services. These aren’t just nice words — they’re backed by contractual agreements.

Microsoft's six privacy principles
PrincipleWhat It Means
ControlYou control your data. Microsoft gives you tools to manage, access, and delete your data
TransparencyMicrosoft is clear about how it collects, uses, and shares data. Privacy statements are public
SecurityMicrosoft uses strong encryption and security practices to protect your data
Strong legal protectionsMicrosoft respects local privacy laws and fights government overreach for customer data
No content-based targetingMicrosoft does NOT scan your emails or documents to target you with advertising
Benefits to youWhen Microsoft does collect data, it's used to improve your experience — not sold to third parties

Key exam concept: The “no content-based targeting” principle is often tested. Microsoft does NOT use your email, chat, or document content to serve ads. This differentiates Microsoft 365 from free consumer services.

Data Protection Addendum (DPA)

The DPA is the contractual side of privacy. It’s a legal document that supplements your licensing agreement and details exactly how Microsoft processes customer data. It covers:

  • What data Microsoft processes and why
  • Microsoft’s security commitments
  • Data breach notification obligations
  • Sub-processor disclosure (third parties who touch your data)
  • GDPR-specific provisions for EU customers
💡 Scenario: Dr. Torres asks about patient data

Dr. Torres, MedGuard’s Chief Medical Officer, asks Nadia: “Can Microsoft read our patient records?”

Nadia shows him two things:

  1. The privacy principles — particularly “no content-based targeting” and “control”
  2. The DPA — the legal contract that prohibits Microsoft from accessing customer data for advertising and limits processing to providing the service

The DPA gives MedGuard legal recourse if Microsoft ever violated these commitments. It’s not just a promise — it’s a contract.

Microsoft Priva

While the privacy principles describe what Microsoft does, Priva helps your organisation manage its own privacy obligations.

☕ Simple explanation

Think of Priva as a privacy detective for your organisation.

Your company stores personal data about employees, customers, and patients. Privacy laws like GDPR say you must know where that data lives, who can access it, and you must respond quickly when someone says “delete my data.”

Priva scans your Microsoft 365 environment, finds personal data, flags privacy risks, and helps you respond to data requests — all from one dashboard.

Microsoft Priva is a privacy risk management solution built into the Microsoft Purview family. It provides visibility into personal data stored across your Microsoft 365 environment and helps organisations meet privacy regulation requirements like GDPR, CCPA, and LGPD.

Priva has two main capabilities: Privacy Risk Management (proactive) and Subject Rights Requests (reactive).

Two sides of Priva

Privacy Risk Management is proactive, Subject Rights Requests is reactive
FeaturePriva Privacy Risk ManagementPriva Subject Rights Requests
PurposeProactively find and manage privacy risksRespond to data subject access requests (DSARs)
How it worksScans M365 for personal data, flags overexposed or over-retained dataAutomates the search, collection, and review of personal data for a specific individual
ExampleAlerts you that 500 files with SSNs are shared with external usersA patient asks 'what data do you have about me?' — Priva finds it all
Regulation linkGDPR Article 5 (data minimisation), Article 25 (privacy by design)GDPR Article 15 (right of access), Article 17 (right to erasure)
💡 Scenario: Nadia handles a patient data request

A former patient contacts MedGuard: “Under the Privacy Act, I want to know what personal data you hold about me.”

Nadia opens Priva Subject Rights Requests and creates a new request for that individual. Priva automatically:

  1. Searches across Exchange, SharePoint, OneDrive, and Teams for that patient’s personal data
  2. Collects and de-duplicates results
  3. Flags items for Nadia to review before releasing

Instead of manually searching every system, Nadia has a complete picture in hours, not weeks. MedGuard meets the regulatory deadline with time to spare.

💡 Exam tip: Priva vs Purview DLP

Don’t confuse Priva with DLP (Data Loss Prevention).

  • Priva focuses on privacy — finding personal data, managing privacy risks, handling data subject requests
  • DLP focuses on data protection — preventing sensitive data from being shared or leaked

Both deal with sensitive data, but from different angles. Priva answers “where is personal data and who can access it?” DLP answers “is someone trying to share sensitive data they shouldn’t?”

🎬 Video walkthrough

🎬 Video coming soon

Service Trust Portal, Privacy & Priva — SC-900 Domain 4.1

Service Trust Portal, Privacy & Priva — SC-900 Domain 4.1

~9 min

Flashcards

Question

What is the Service Trust Portal?

Click or press Enter to reveal answer

Answer

A website (servicetrust.microsoft.com) where Microsoft publishes independent audit reports, compliance certificates, and trust documentation. You sign in with a Microsoft cloud account and accept an NDA to access documents.

Click to flip back
Question

Name Microsoft's six privacy principles

Click or press Enter to reveal answer

Answer

1. Control — 2. Transparency — 3. Security — 4. Strong legal protections — 5. No content-based targeting — 6. Benefits to you. The key exam fact: Microsoft does NOT scan your content to serve ads.

Click to flip back
Question

What are the two main capabilities of Microsoft Priva?

Click or press Enter to reveal answer

Answer

1. Privacy Risk Management — proactively finds personal data and flags privacy risks (overexposure, over-retention). 2. Subject Rights Requests — automates responses to data subject access requests (DSARs) required by GDPR and similar laws.

Click to flip back
Question

What is the Data Protection Addendum (DPA)?

Click or press Enter to reveal answer

Answer

A contractual supplement to your Microsoft licensing agreement that legally defines how Microsoft processes customer data, including security commitments, breach notification, and GDPR provisions. It turns privacy principles into enforceable obligations.

Click to flip back

Knowledge Check

Knowledge Check

Nadia's external auditor requires proof that Microsoft's cloud services meet ISO 27001 standards. Where should Nadia go to find this documentation?
Knowledge Check

A former patient requests that MedGuard Health provide all personal data the organisation holds about them. Which Microsoft tool should Nadia use to handle this efficiently?
Knowledge Check

Which Microsoft privacy principle states that your email and document content will NOT be used to target you with advertising?

← Previous

Vulnerability Management & Threat Intelligence

Next →

The Purview Portal & Compliance Manager

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.